CVE-2024-4577: Critical vulnerability in PHP

CVE-2024-4577 can be exploited in all versions of PHP for Windows and lead to the execution of malicious code

A critical vulnerability in PHP has recently been published that could lead to remote command injection. The vulnerability can be exploited in all versions of PHP for Windows specially in Traditional Chinese, Simplified Chinese and Japanese language configurations, even in default installations using XAMPP. There are currently several PoCs with public exploits that reveal the vulnerability.

The vulnerability, whose identifier is CVE-2024-4577, has a CVSS v3 score of 9.8 according to NIST and is based on the CGI engine not escaping the soft hyphen (0xAD), which PHP receives and applies a “best fit” mapping, as it thinks we want to put a real hyphen in place of it, thus allowing an attacker to add extra arguments to exploit the vulnerability.

PHP is a programming language mainly used for developing dynamic web pages and web applications. It runs on the server and integrates easily with HTML and databases like MySQL. Due to its simplicity and extensive documentation, PHP is very popular among developers, allowing them to create robust websites and web applications efficiently.

The vulnerability CVE-2024-4577 applies to the following PHP versions:

• PHP 8.3 < 8.3.8
• PHP 8.2 < 8.2.20
• PHP 8.1 < 8.1.29

Older versions, which are no longer supported such as PHP 8, PHP 7 and PHP 5 are also vulnerable.

Main features

The main characteristics of this vulnerability are detailed below:

• CVE Identifier: CVE-2024-4577
• Release date: 09/06/2024
• Affected software: PHP
• CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical)
• Affected versions
  • PHP 8.3 < 8.3.8
  • PHP 8.2 < 8.2.20
  • PHP 8.1 < 8.1.29
  • PHP 8
  • PHP 7
  • PHP 5
• Exploitation Requirements
  • PHP software must be configured in CGI mode.
  • Exploitation is possible if php.exe or php-cgi.exe binaries are exposed (all default installations in XAMPP for Windows).
  • Operating system must be Windows.

Mitigation of CVE-2024-4577

The main solution is to urgently update the PHP software to one of the new patched versions that fix this vulnerability:

• 8.3.8
• 8.2.20
• 8.1.29

A temporary mitigation would be to rewrite the following rule, but it is only compatible for Traditional Chinese, Simplified Chinese and Japanese installations:

RewriteEngine On
RewriteCond %{QUERY_STRING} ^%ad [NC]
RewriteRule .? - [F,L]

For default installations of XAMPP on Windows you may choose to comment out the following line in the httpd-xampp.conf file:

# ScriptAlias /php-cgi/ "C:/xampp/php/"

Finally, it is advisable to evaluate the migration to more secure architectures such as Mod-PHP, FastCGI or PHP-FPM.

Vulnerability detection

The presence of the vulnerability can be identified by version number or through the use of scripts or Nuclei templates.

It is recommended to apply the patch urgently, as malicious actors are using the TellYouThePass ransomware to actively exploit it.

As part of its emerging vulnerabilities service, Tarlogic proactively monitors the perimeter of its clients to report, detect, and urgently notify of the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.